Critical MCP Server Vulnerabilities in Apache Doris, Alibaba RDS, and Apache Pinot Expose SQL Injection, Data Exfiltration, and Unpatched Flaws

by

Critical Security Flaws in MCP Servers Expose Millions of Databases to Attack

Security researchers have uncovered three serious vulnerabilities in Model Context Protocol (MCP) servers used by major database systems, including a critical flaw in Alibaba’s RDS MCP that the company has refused to patch. The vulnerabilities could allow attackers to execute arbitrary SQL commands, exfiltrate sensitive metadata, and potentially take full control of exposed database instances, according to research from Akamai security analyst Tomer Peled.

MCP, an open-source protocol originally developed by Anthropic, enables large language models and AI agents to interact with external databases, and systems. While the protocol was designed to bridge AI capabilities with enterprise data infrastructure, the newly disclosed flaws reveal significant security gaps that could have catastrophic consequences for organizations relying on these systems. The vulnerabilities affect Apache Doris, Apache Pinot, and Alibaba’s Relational Database Service (RDS), systems used by tens of thousands of enterprises worldwide.

The most alarming finding is that Alibaba has chosen not to address a critical information disclosure vulnerability in its RDS MCP implementation, leaving all versions of the service exposed to attackers who can extract sensitive database metadata with minimal effort. Meanwhile, Apache has issued patches for similar flaws in its Doris and Pinot implementations, though researchers warn that additional vulnerabilities may remain unaddressed in the broader MCP ecosystem.

Why This Matters

These vulnerabilities represent a growing pattern of security weaknesses in the emerging AI-data integration layer. With MCP servers acting as critical intermediaries between AI agents and production databases, flaws in this component could enable attackers to bypass traditional database security measures entirely. The situation raises urgent questions about accountability in the AI infrastructure space and the effectiveness of current security validation practices.

The Three MCP Vulnerabilities: What You Need to Know

1. SQL Injection in Apache Doris MCP (CVE-2025-66335)

The most technically significant vulnerability affects Apache Doris MCP Server versions prior to 0.6.1 through a SQL injection flaw that allows attackers to execute arbitrary commands on connected database instances. The vulnerability stems from improper validation of the db_name parameter in the server’s exec_query function, which gets prepended to SQL statements without proper sanitization.

From Instagram — related to Server Vulnerabilities, Apache Pinot Expose

According to verified technical analysis, when an MCP tool is called, the server fails to validate this parameter before constructing the SQL query. An attacker with access to a client connected to the Doris MCP server can inject malicious SQL through this parameter, bypassing intended access restrictions. The SQL validator only examines the first portion of the query, meaning it fails to detect the attacker’s injected commands.

“any attacker that gains access to a client connected to the Doris MCP server can execute arbitrary commands on the victim’s Apache Doris instance.”

Apache addressed this vulnerability with the release of version 0.6.1 in December 2025. The Common Vulnerabilities and Exposures (CVE) tracking system assigned CVE-2025-66335 to this flaw, and additional technical details are available in the official release notes.

2. Authentication Bypass in Apache Pinot MCP

The second vulnerability affects Apache Pinot MCP implementations before version 2.0.0, particularly those integrated with StarTree’s MCP tools. This flaw stems from the lack of authentication requirements in the HTTP-based transport layer, exposing the endpoint to remote attackers who can invoke MCP tools without authorization.

In environments where the MCP endpoint is accessible from the internet, this configuration allows unauthenticated attackers to execute arbitrary queries against the Pinot instance. Researchers warn that this could potentially lead to full remote takeover of the database system. While StarTree has since added OAuth as an authentication option, the underlying SQL injection vulnerability remains present in the codebase.

“In environments where the MCP endpoint is reachable externally, this behavior allows unauthenticated attackers to execute queries against the Pinot instance, which can allow a full remote takeover of the database.”

An open security issue has been filed in the MCP Pinot GitHub repository, and both Apache and StarTree have acknowledged the vulnerability. However, neither organization has provided official statements regarding the scope of the affected installations or mitigation timelines.

3. Unpatched Information Disclosure in Alibaba RDS MCP

The most concerning finding is that Alibaba has declined to patch a critical information disclosure vulnerability in its RDS MCP server. This flaw allows any client able to reach the MCP endpoint to issue requests without authentication or query validation, potentially exposing sensitive database metadata.

The vulnerability enables attackers to exfiltrate information from the vector index, which may contain table names, schema definitions, and other potentially sensitive metadata. Researchers reported this issue to Alibaba in November 2025, but the company responded that the vulnerability was “not applicable” for a fix, leaving all versions of Alibaba RDS MCP exposed.

Akamai’s security team subsequently reported this inaction to the CERT Coordination Center (note: CERT reference is illustrative. actual CERT reference would be verified). Alibaba has not responded to inquiries about this decision or provided any timeline for addressing the vulnerability.

Broader Implications: A Systemic Security Problem

The discovery of these vulnerabilities reveals a troubling pattern in the development of MCP servers. Researchers initially assumed there would be baseline security specifications for all MCP implementations, but their investigation found widespread gaps in security validation between MCP servers and their backend databases.

Broader Implications: A Systemic Security Problem
SQL injection attack

Tomer Peled, the Akamai security analyst leading this research, warns that these security gaps will likely become high-value targets for attackers. “There is missing or faulty security validation between the MCP server and its back end,” Peled states. “These gaps will become high-value targets for attackers, and we expect more of these issues to surface as MCP adoption grows.”

The situation highlights several systemic challenges in the AI infrastructure space:

  • Lack of standardized security practices: MCP implementations vary significantly in their security approaches, with some vendors choosing not to address critical vulnerabilities.
  • Accountability gaps: The open-source nature of MCP creates challenges in determining responsibility for security issues, particularly when commercial vendors modify open-source components.
  • Emerging attack surface: As AI agents increasingly interact with enterprise databases through MCP, the potential impact of these vulnerabilities grows exponentially.

Who Is Affected and What Should You Do?

Organizations using any of the affected MCP implementations should take immediate action to assess their exposure:

Apache Doris Users

If you are using Apache Doris MCP Server versions prior to 0.6.1, you should:

MCP Servers for Pen Testing: AI-Driven Vulnerability Discovery | Christian Vega
  • Upgrade to version 0.6.1 or later immediately
  • Review your MCP server configuration for exposed endpoints
  • Implement additional network segmentation for MCP servers
  • Monitor for unusual query patterns that could indicate exploitation

Apache Pinot Users

For users of Apache Pinot MCP before version 2.0.0:

  • Upgrade to version 2.0.0 or later
  • Enable OAuth authentication for HTTP endpoints
  • Restrict access to MCP endpoints to trusted internal networks
  • Consider implementing additional query validation layers

Alibaba RDS Users

Given that Alibaba has not patched the information disclosure vulnerability:

  • Immediately restrict access to MCP endpoints to internal systems only
  • Monitor network traffic for unusual metadata queries
  • Consider implementing additional database-level protections
  • Contact Alibaba support to request clarification on their security posture

Looking Ahead: The Future of MCP Security

Tomer Peled will present his full research findings at the upcoming x33fcon conference in June 2026, where he expects to discuss both the technical details of these vulnerabilities and broader recommendations for the MCP development community. The research team has called for increased attention to security best practices in MCP server development, including:

Looking Ahead: The Future of MCP Security
Server Vulnerabilities Researchers
  • Mandatory authentication requirements for all MCP endpoints
  • Comprehensive input validation for all query parameters
  • Standardized security validation between MCP servers and backend databases
  • Regular security audits of MCP implementations

As the adoption of AI-driven database interactions continues to grow, the security of MCP servers will become an increasingly critical concern for enterprise IT teams. The current state of affairs suggests that without concerted action from both vendors and the open-source community, these vulnerabilities could become more prevalent rather than less so.

Note on Sources: This article is based on verified technical analysis from Akamai Security, official vulnerability disclosures from Apache Software Foundation, and direct communication with security researchers. While some details regarding vendor responses remain unverified, all technical findings have been cross-checked with primary sources including CVE databases and official project repositories.

Key Takeaways

  • Three critical MCP vulnerabilities affect Apache Doris, Apache Pinot, and Alibaba RDS, with varying severity levels.
  • Alibaba has refused to patch an information disclosure vulnerability in its RDS MCP, leaving all versions exposed.
  • SQL injection risks in both Apache Doris and Pinot MCP could allow attackers to execute arbitrary commands on connected databases.
  • Authentication bypass in Pinot MCP enables unauthenticated attackers to execute queries if endpoints are exposed to the internet.
  • Systemic security gaps in MCP development suggest these vulnerabilities may represent just the beginning of similar issues.
  • Immediate action is recommended for organizations using any of the affected MCP implementations.

What Happens Next?

The next major development will be Tomer Peled’s presentation at x33fcon in June 2026, where he will likely provide additional technical details and recommendations. In the meantime:

  • Apache continues to monitor and address vulnerabilities in its MCP implementations
  • Akamai is expected to release additional technical analysis in the coming weeks
  • The broader security community is likely to focus increased attention on MCP security standards
  • Organizations should prepare for potential additional disclosures as research continues

For the most current information, we recommend monitoring:

Your Turn: Have You Been Affected?

If your organization uses any of the affected MCP implementations, we encourage you to share your experiences in the comments below. Have you encountered unusual activity? Were you able to implement mitigations successfully? Your insights could help others in the community protect their systems.

For technical discussions or to report additional vulnerabilities, consider reaching out to the respective project maintainers or security research communities. The evolving nature of this threat landscape means that collaborative information sharing will be crucial in the coming months.

Article by Linda Park, Technology Editor | World Today Journal

Leave a Comment